<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF">
<div>Are you using the "-k none" on production? It is "usually" preferred to use this option on/while testing rather than in production. What is the checksum option in your snort.conf?</div>
<div><br>
</div>
<div>In this case, the only potential candidate problem is the NIC checksum, offloading stuff. Use ethtool to disable these lro, gro, etc.. And then test again without the "-k none"</div>
<div><br>
</div>
<div>YM<br>
<br>
<div class="acompli_signature">Sent from Mobile</div>
<br>
</div>
<br>
<br>
<br>
<div class="gmail_quote">On Mon, Apr 11, 2016 at 3:37 PM -0700, "Claus Regelmann"
<span dir="ltr"><<a href="mailto:rgc@...17118..." target="_blank">rgc@...17118...</a>></span> wrote:<br>
<br>
</div>
<div>
<div class="moz-cite-prefix">But there are lots of 'false-positives', concering DNS, if I use the runtime option "-k none".<br>
About 300 within 10 minutes.<br>
<br>
Claus<br>
-----------------<br>
<table bgcolor="#FFFFFF" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td class="plfieldhdr">   </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_a"><</a> Signature <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_d">></a> </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_a"><</a> Classification <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_d">></a> </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_a"><</a> Total # <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_d">></a> </td>
<td class="plfieldhdr"> Sensor # </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_a"><</a> Source Address <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_d">></a> </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_a"><</a> Dest. Address <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_d">></a> </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_a"><</a> First <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_d">></a> </td>
<td class="plfieldhdr"> <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_a"><</a> Last <a href="http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_d">></a> </td>
</tr>
<tr bgcolor="#FF9900">
<td>   <input name="action_chk_lst[0]" value="40255" type="checkbox">    </td>
<td align="center" valign="top"><font size="-1">[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690" target="_ACID_ALERT_DESC">cve</a>]</font>
<font size="-1">[<a href="http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690" target="_ACID_ALERT_DESC">icat</a>]</font>
<font size="-1">[<a href="http://technet.microsoft.com/en-us/security/bulletin/MS10-024" target="_ACID_ALERT_DESC">url</a>]</font>
<font size="-1">[<a href="http://www.snort.org/search/sid/3-21355" target="_ACID_ALERT_DESC">snort</a>]</font> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
</td>
<td align="center" valign="top">attempted-recon </td>
<td align="center" valign="top"><font><a href="http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1&submit=Query+DB&num_result_rows=-1">187</a>(67%)</font>
</td>
<td align="center" valign="top"><a href="http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1">1</a>
</td>
<td align="center" valign="top"><font><a href="http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255">103</a></font>
</td>
<td align="center" valign="top"><font><a href="http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255">1</a></font>
</td>
<td align="center" valign="top"><font>2016-04-10 12:59:06.542</font> </td>
<td align="center" valign="top"><font>2016-04-10 13:05:51.522</font> </td>
</tr>
<tr bgcolor="#FFFF00">
<td>   <input name="action_chk_lst[1]" value="40274" type="checkbox">    </td>
<td align="center" valign="top"><font size="-1">[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889" target="_ACID_ALERT_DESC">cve</a>]</font>
<font size="-1">[<a href="http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889" target="_ACID_ALERT_DESC">icat</a>]</font>
<font size="-1">[<a href="http://technet.microsoft.com/en-us/security/bulletin/MS11-040" target="_ACID_ALERT_DESC">url</a>]</font>
<font size="-1">[<a href="http://www.snort.org/search/sid/3-19187" target="_ACID_ALERT_DESC">snort</a>]</font> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
</td>
<td align="center" valign="top">attempted-user </td>
<td align="center" valign="top"><font><a href="http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1&submit=Query+DB&num_result_rows=-1">92</a>(33%)</font>
</td>
<td align="center" valign="top"><a href="http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1">1</a>
</td>
<td align="center" valign="top"><font><a href="http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274">50</a></font>
</td>
<td align="center" valign="top"><font><a href="http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274">1</a></font>
</td>
<td align="center" valign="top"><font>2016-04-10 12:57:29.458</font> </td>
<td align="center" valign="top"><font>2016-04-10 13:05:52.782</font></td>
</tr>
</tbody>
</table>
<br>
Ex 1:<br>
<table border="1" width="90%">
<tbody>
<tr>
<td class="metatitle" rowspan="4" align="CENTER" width="50">Meta </td>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="plfieldhdr">ID #</td>
<td class="plfieldhdr">Time</td>
<td class="plfieldhdr">Triggered Signature</td>
</tr>
<tr>
<td class="plfield">1 - 71408</td>
<td class="plfield">2016-04-10 13:05:52.782</td>
<td class="plfield"><font size="-1">[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889" target="_ACID_ALERT_DESC">cve</a>]</font>
<font size="-1">[<a href="http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889" target="_ACID_ALERT_DESC">icat</a>]</font>
<font size="-1">[<a href="http://technet.microsoft.com/en-us/security/bulletin/MS11-040" target="_ACID_ALERT_DESC">url</a>]</font>
<font size="-1">[<a href="http://www.snort.org/search/sid/3-19187" target="_ACID_ALERT_DESC">snort</a>]</font> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="metatitle" rowspan="2" align="CENTER">Sensor</td>
<td class="plfieldhdr">Sensor Address</td>
<td class="plfieldhdr">Interface</td>
<td class="plfieldhdr">Filter</td>
</tr>
<tr>
<td class="plfield">rgc1:eth0</td>
<td class="plfield">eth0</td>
<td class="plfield"> <i>none</i> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="metatitle" rowspan="1" align="CENTER">Alert Group</td>
<td>  <i>none</i> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="1" width="90%">
<tbody>
<tr>
<td class="iptitle" rowspan="3" align="CENTER" width="50">IP </td>
<td>
<table border="1" cellpadding="2">
<tbody>
<tr>
<td class="plfieldhdr">Source Address</td>
<td class="plfieldhdr"> Dest. Address </td>
<td class="plfieldhdr">Ver</td>
<td class="plfieldhdr">Hdr Len</td>
<td class="plfieldhdr">TOS</td>
<td class="plfieldhdr">length</td>
<td class="plfieldhdr">ID</td>
<td class="plfieldhdr">fragment</td>
<td class="plfieldhdr">offset</td>
<td class="plfieldhdr">TTL</td>
<td class="plfieldhdr">chksum</td>
</tr>
<tr>
<td class="plfield"><a href="http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.13&netmask=32">204.13.251.13</a></td>
<td class="plfield"><a href="http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32">192.168.178.240</a></td>
<td class="plfield">4</td>
<td class="plfield">20</td>
<td class="plfield">0</td>
<td class="plfield">200</td>
<td class="plfield">2679</td>
<td class="plfield">no</td>
<td class="plfield">0</td>
<td class="plfield">54</td>
<td class="plfield">65273<br>
= 0xfef9</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="iptitle" rowspan="1" align="CENTER">Options</td>
<td>    <i>none </i></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="1" width="90%">
<tbody>
<tr>
<td class="layer4title" rowspan="2" align="CENTER" width="50">UDP</td>
<td>
<table border="1" cellpadding="2">
<tbody>
<tr>
<td class="plfieldhdr">source port</td>
<td class="plfieldhdr">dest port</td>
<td class="plfieldhdr">length</td>
</tr>
<tr>
<td class="plfield">53<br>
[<a href="http://isc.sans.org/port.html?port=53" target="_ACID_PORT_">sans</a>] [<a href="http://ports.tantalo.net/?q=53" target="_ACID_PORT_">tantalo</a>] [<a href="http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53" target="_ACID_PORT_">sstats</a>]
</td>
<td class="plfield">1874<br>
[<a href="http://isc.sans.org/port.html?port=1874" target="_ACID_PORT_">sans</a>] [<a href="http://ports.tantalo.net/?q=1874" target="_ACID_PORT_">tantalo</a>] [<a href="http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=1874" target="_ACID_PORT_">sstats</a>]
</td>
<td class="plfield">180</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="1" width="90%">
<tbody>
<tr>
<td class="payloadtitle" rowspan="2" align="CENTER" width="50">Payload<br>
<br>
<center><a href="http://rgc1/base/base_qry_alert.php?submit=%230-%281-71408%29&sort_order=&asciiclean=1">Plain Display</a></center>
<br>
<center><a href="http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=1&cid=71408&sid=1&asciiclean=0">Download of Payload</a></center>
<br>
<center><a href="http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=3&cid=71408&sid=1&asciiclean=0">Download in pcap format</a></center>
</td>
<td>
<pre> length = 172

000 : 2A 12 84 00 00 01 00 08 00 00 00 01 02 65 31 08   *............e1.
010 : 77 68 61 74 73 61 70 70 03 6E 65 74 00 00 01 00   whatsapp.net....
020 : 01 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
030 : A8 C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D D6   ..............-.
040 : E5 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
050 : A9 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
060 : AB C0 0C 00 01 00 01 00 00 0E 10 00 04 9E 55 3A   ..............U:
070 : 4D C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D DB   M.............-.
080 : FD C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C1 CD   ................
090 : 18 C0 0C 00 01 00 01 00 00 0E 10 00 04 AE 24 D2   ..............$.
0a0 : 2E 00 00 29 10 00 00 00 80 00 00 00               ...)........
</pre>
</td>
</tr>
</tbody>
</table>
Ex 2:<br>
<table border="1" width="90%">
<tbody>
<tr>
<td class="metatitle" rowspan="4" align="CENTER" width="50">Meta </td>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="plfieldhdr">ID #</td>
<td class="plfieldhdr">Time</td>
<td class="plfieldhdr">Triggered Signature</td>
</tr>
<tr>
<td class="plfield">1 - 71407</td>
<td class="plfield">2016-04-10 13:05:51.522</td>
<td class="plfield"><font size="-1">[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690" target="_ACID_ALERT_DESC">cve</a>]</font>
<font size="-1">[<a href="http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690" target="_ACID_ALERT_DESC">icat</a>]</font>
<font size="-1">[<a href="http://technet.microsoft.com/en-us/security/bulletin/MS10-024" target="_ACID_ALERT_DESC">url</a>]</font>
<font size="-1">[<a href="http://www.snort.org/search/sid/3-21355" target="_ACID_ALERT_DESC">snort</a>]</font> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="metatitle" rowspan="2" align="CENTER">Sensor</td>
<td class="plfieldhdr">Sensor Address</td>
<td class="plfieldhdr">Interface</td>
<td class="plfieldhdr">Filter</td>
</tr>
<tr>
<td class="plfield">rgc1:eth0</td>
<td class="plfield">eth0</td>
<td class="plfield"> <i>none</i> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="metatitle" rowspan="1" align="CENTER">Alert Group</td>
<td>  <i>none</i> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="1" width="90%">
<tbody>
<tr>
<td class="iptitle" rowspan="3" align="CENTER" width="50">IP </td>
<td>
<table border="1" cellpadding="2">
<tbody>
<tr>
<td class="plfieldhdr">Source Address</td>
<td class="plfieldhdr"> Dest. Address </td>
<td class="plfieldhdr">Ver</td>
<td class="plfieldhdr">Hdr Len</td>
<td class="plfieldhdr">TOS</td>
<td class="plfieldhdr">length</td>
<td class="plfieldhdr">ID</td>
<td class="plfieldhdr">fragment</td>
<td class="plfieldhdr">offset</td>
<td class="plfieldhdr">TTL</td>
<td class="plfieldhdr">chksum</td>
</tr>
<tr>
<td class="plfield"><a href="http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.3&netmask=32">204.13.251.3</a></td>
<td class="plfield"><a href="http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32">192.168.178.240</a></td>
<td class="plfield">4</td>
<td class="plfield">20</td>
<td class="plfield">0</td>
<td class="plfield">88</td>
<td class="plfield">32280</td>
<td class="plfield">no</td>
<td class="plfield">0</td>
<td class="plfield">54</td>
<td class="plfield">35794<br>
= 0x8bd2</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table border="1" cellpadding="4">
<tbody>
<tr>
<td class="iptitle" rowspan="1" align="CENTER">Options</td>
<td>    <i>none </i></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="1" width="90%">
<tbody>
<tr>
<td class="layer4title" rowspan="2" align="CENTER" width="50">UDP</td>
<td>
<table border="1" cellpadding="2">
<tbody>
<tr>
<td class="plfieldhdr">source port</td>
<td class="plfieldhdr">dest port</td>
<td class="plfieldhdr">length</td>
</tr>
<tr>
<td class="plfield">53<br>
[<a href="http://isc.sans.org/port.html?port=53" target="_ACID_PORT_">sans</a>] [<a href="http://ports.tantalo.net/?q=53" target="_ACID_PORT_">tantalo</a>] [<a href="http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53" target="_ACID_PORT_">sstats</a>]
</td>
<td class="plfield">30215<br>
[<a href="http://isc.sans.org/port.html?port=30215" target="_ACID_PORT_">sans</a>] [<a href="http://ports.tantalo.net/?q=30215" target="_ACID_PORT_">tantalo</a>] [<a href="http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=30215" target="_ACID_PORT_">sstats</a>]
</td>
<td class="plfield">68</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="1" width="90%">
<tbody>
<tr>
<td class="payloadtitle" rowspan="2" align="CENTER" width="50">Payload<br>
<br>
<center><a href="http://rgc1/base/base_qry_alert.php?submit=%20Next%20%23185-%281-71407%29&sort_order=&asciiclean=1">Plain Display</a></center>
<br>
<center><a href="http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=1&cid=71407&sid=1&asciiclean=0">Download of Payload</a></center>
<br>
<center><a href="http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=3&cid=71407&sid=1&asciiclean=0">Download in pcap format</a></center>
</td>
<td>
<pre> length = 60

000 : FB 71 84 00 00 01 00 01 00 00 00 01 0B 73 6F 75   .q...........sou
010 : 72 63 65 66 6F 72 67 65 03 6E 65 74 00 00 01 00   rceforge.net....
020 : 01 C0 0C 00 01 00 01 00 00 01 2C 00 04 D8 22 B5   ..........,...".
030 : 3C 00 00 29 10 00 00 00 80 00 00 00               <..)........
</pre>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
On 04/08/2016 11:39 PM, Claus Regelmann wrote:<br>
</div>
<blockquote type="cite">
<pre>great hint!!!
I didn't realize the impacts of this option before.
THANKS
Claus
On 04/08/2016 10:22 PM, Y M wrote:> Would using "-k none" when running Snort helps?
 >
 > YM
 >
 > ________________________________________

On 04/08/2016 10:22 PM, Y M wrote:
</pre>
<blockquote type="cite">
<pre>Would using "-k none" when running Snort helps?

YM

________________________________________
From: Claus Regelmann <a class="moz-txt-link-rfc2396E" href="mailto:rgc@...17118..."><rgc@...17118...></a>
Sent: Friday, April 8, 2016 7:19 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:snort-users@...8192...sourceforge.net">snort-users@lists.sourceforge.net</a>
Subject: Re: [Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?

I dove into the source code and eventually found a solution that work at least in 'my' environment:
Packet error are checked in function "Preprocess" (file decode.c).
This checking includes checksum error. If a packet comes from a local process, and is
captured before it goes on to the real HW, is there a valid checksum? It does not seem so!
I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch:
-- 8< ------------ >8 --
diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c
--- snort-2.9.8.2/src/detect.c  2016-03-18 14:54:31.000000000 +0100
+++ snort-2.9.8.2-cr/src/detect.c       2016-04-08 16:04:47.000000000 +0200
@@ -199,15 +199,14 @@
   #endif

       // If the packet has errors, we won't analyze it.
-    if ( p->error_flags )
+    if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors
       {
           // process any decoder alerts now that policy has been selected...
           DecodePolicySpecific(p);

           //actions are queued only for IDS case
           sfActionQueueExecAll(decoderActionQ);
-        DEBUG_WRAP(DebugMessage(DEBUG_DETECT,
-            "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags););
+        LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);

           if ( p->error_flags & PKT_ERR_BAD_TTL )
               pc.bad_ttl++;
-- 8< ------------ >8 --

Shouldn't DAQ revise this checksum problem before ?

--------------
Claus Regelmann


On 03/19/2016 12:15 AM, Claus Regelmann wrote:
</pre>
<blockquote type="cite">
<pre>Hello,

my snort runs on a small ATOM-based firewall between the internet router and the internal net.

+------------- +                        +----------+
| (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
+--------------+ ^                    ^ +----------+
      192.168.178.1 +                    |192.168.178.240
                                         +-- snort listen here in passive mode

Test cases:

1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall.
The result is OK, two alerts:
--8< ------ >8--
       ID       < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
#0-(1-90832)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:22:19.993 192.168.178.240:40533   87.106.18.216:4483      TCP
#1-(1-90830)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:17:02.652 10.1.1.5:53410  87.106.18.216:4483      TCP
--8< ------ >8--

2.) The router hosts a DNS-forwarder.
I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
But now only the query from the internal host alerts:
--8< ------ >8--
        ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
#0-(1-90896)  [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org  2016-03-18 22:44:06.68  10.1.1.5:54346  192.168.178.1:53        UDP
--8< ------ >8--

3.) I wrote a small test rule:
       'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'.
I run 'wget <a class="moz-txt-link-freetext" href="http://...../abcdef01/zzz">http://...../abcdef01/zzz</a>' on the firewall and the internal host.
Again, only the internal case alerts:
--8< ------ >8--
        ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
#0-(1-90897)  [snort] RgC: TEST pattern found         2016-03-18 23:06:51.482         10.1.1.5:37733  193.99.144.85:80        TCP
--8< ------ >8--

The 1st case only inspects header informations.
The last two cases need the payload.

* Has anybody an idea, what's going wrong here ??? *

I run snort version 2.9.7.6, self-compiled from sources (LFS).
My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'

Thank You
Claus Regelmann


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140</a>
_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@...4626...ceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!

</pre>
</blockquote>
<pre>


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! <a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/">http://pubads.g.doubleclick.net/</a>
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@...4626...ceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!

</pre>
</blockquote>
<pre>


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! <a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/">http://pubads.g.doubleclick.net/</a>
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@...4626...ceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!

</pre>
</blockquote>
<br>
<br>
</div>
</body>
</html>